Egil Aspevik Martinsen Polymorphic Viruses Material from Master Thesis «Detection of Junk Instructions in Malicious Software» 1
History 1982 Elk Cloner Brain 1987 1260 1992 Ply 1997 Melissa ILOVEYOU Zmist Code Red Sobig 2002 Blaster MyDoom Samy XSS Stration Storm 2007 Vandalism/Pranks/?? «Nerds» Money Organized crime / Mafia 2
Two Quotes «The most significant change has been the evolution of virus writing hobbyists into criminally operated gangs bent on financial gain» Mikko Hypponen, F-Secure, 2006, (http://www.f-secure.com/news/items/news_2006011900.shtml) «Last year was the first year that proceeds from cybercrime were greater than proceeds from the sales of illegal drugs, and that was, I believe, over $105 billion» Valerie McNiven, US Treasury, 2006 («Dirty money on the wires: the business models of cyber criminals». Virus Bulletin Conference, 2006) 3
One «Protection Money» Scheme Infected Computers Onlinepoker.com $$$$$$$ Botnet Controller operated by «Mafia» Paying Customer 4
Polymorfism «many forms» Regular viruses Polymorphic viruses Virus A Virus B Form 1.1 Form 1.w fa78743cb329a1 272a2dc3765a1 Form 1 Form 2 Form n PM Virus 5
Case study: Zmist Zmist is a virus employing many polymorphic techniques Zmist is the only virus known to utilize the code integration technique Of the leading 14 antivirus products tested, 7 failed to detect 100% of Zmist samples (AV-comparatives.org, February 2008 On-demand comparative) 6
Clean code Clean code before Zmist Clean code after Zmist Decryptor Initializing code Decryption of engine no De-initializing code Engine decryption completed? Engine yes Decrypted engine code 7
Decryptor 1 (D1) Decryptor 2 (D2) Decryptor 3 (D3) call [0x4082FE] [0x41B000], ecx bsf ecx, and ecx, 0x9ACEDD96 [0x41BE98], ebx ecx, esi btr ecx, ecx ecx, 0x5543994C ebx, 0x00426758 imul ecx, edx, 0xA461EDD1 sx ecx, ax [ebx], esi test al, 0xBA test edi, esi imul ecx, esi esi, 0x00000000 bswap ebx [0x424C70], esi ebx, edi add ch, bl esi, 0x0040A7E1 ecx, [esi] ebx, ecx shld esi, ecx, cl esi, 0x00423E40 dec cl inc ecx ecx, esi ebx call 0x00003090 [0x415E64] al, 0x4B xadd, adc, 0x01D257DA esi neg imul esi, ecx, 0xCD32F179 jmp 0x000030AF, 0x004167FC not esi lea esi, [-0x5EA21BF8] esi, esi bsr esi, ecx ecx test esi, [] esi, 0x60C25CE0 bswap esi esi, ebx sx esi, bp xadd esi, esi adc esi, 0x52ED71CC jmp 0x000030E0 test ebx, ecx ah, 0xF9 esi, 0xFCA091F5 imul, esi, 0x45285F96 add [0x421634], edi [0x41FBFC], ebx edi, 0x00421D90 [0x41FBF0], 0x00000000 edi, 0x004143E2 edi ebx, [] [0x4211B8], ebx edi, [0x4035E5] ebx, edi [0x41FBF8], ebx edi, 0x0041FBF0 ebx, ebx edi, 0x00421630, 0x00421630 ebx, [] ebx, [0x4062A8] [0x421630], ebx edi, [0x421630] 8 ebx,
Polymorphic Techniques Arbitrary placement of code and data Register renaming Change of code flow Junk instructions Semantically equivalent instructions 9
Decryptor 1 (D1) Decryptor 2 (D2) Decryptor 3 (D3) call [0x4082FE] [0x41B000], ecx bsf ecx, and ecx, 0x9ACEDD96 [0x41BE98], ebx ecx, esi btr ecx, ecx ecx, 0x5543994C ebx, 0x00426758 imul ecx, edx, 0xA461EDD1 sx ecx, ax [ebx], esi test al, 0xBA test edi, esi imul ecx, esi esi, 0x00000000 bswap ebx [0x424C70], esi ebx, edi add ch, bl esi, 0x0040A7E1 ecx, [esi] ebx, ecx shld esi, ecx, cl esi, 0x00423E40 dec cl inc ecx ecx, esi ebx call 0x00003090 [0x415E64] al, 0x4B xadd, adc, 0x01D257DA esi neg imul esi, ecx, 0xCD32F179 jmp 0x000030AF, 0x004167FC not esi lea esi, [-0x5EA21BF8] esi, esi bsr esi, ecx ecx test esi, [] esi, 0x60C25CE0 bswap esi esi, ebx sx esi, bp xadd esi, esi adc esi, 0x52ED71CC jmp 0x000030E0 test ebx, ecx ah, 0xF9 esi, 0xFCA091F5 imul, esi, 0x45285F96 add [0x421634], edi [0x41FBFC], ebx edi, 0x00421D90 [0x41FBF0], 0x00000000 edi, 0x004143E2 edi ebx, [] [0x4211B8], ebx edi, [0x4035E5] ebx, edi [0x41FBF8], ebx edi, 0x0041FBF0 ebx, ebx edi, 0x00421630, 0x00421630 ebx, [] ebx, [0x4062A8] [0x421630], ebx edi, [0x421630] 10 ebx,
Junk Instruction Detection (JID) Analysis of Zmist 6 months Detection of Zmist? Analysis of new PM virus? days Detection of new PM virus «In fact, while reverse engineering, you can spend up to 80% of your time reading the values in registers and deducing what the code will do or is doing as a result of these values» Konstantin Rozinov, Bell Labs, (rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf) 11
Decryptor 1 (D1) Decryptor 2 (D2) Decryptor 3 (D3) call [0x4082FE] [0x41B000], ecx bsf ecx, and ecx, 0x9ACEDD96 [0x41BE98], ebx ecx, esi btr ecx, ecx ecx, 0x5543994C ebx, 0x00426758 imul ecx, edx, 0xA461EDD1 sx ecx, ax [ebx], esi test al, 0xBA test edi, esi imul ecx, esi esi, 0x00000000 bswap ebx [0x424C70], esi ebx, edi add ch, bl esi, 0x0040A7E1 ecx, [esi] ebx, ecx shld esi, ecx, cl esi, 0x00423E40 dec cl inc ecx ecx, esi ebx call 0x00003090 [0x415E64] al, 0x4B xadd, adc, 0x01D257DA esi neg imul esi, ecx, 0xCD32F179 jmp 0x000030AF, 0x004167FC not esi lea esi, [-0x5EA21BF8] esi, esi bsr esi, ecx ecx test esi, [] esi, 0x60C25CE0 bswap esi esi, ebx sx esi, bp xadd esi, esi adc esi, 0x52ED71CC jmp 0x000030E0 test ebx, ecx ah, 0xF9 esi, 0xFCA091F5 imul, esi, 0x45285F96 add [0x421634], edi [0x41FBFC], ebx edi, 0x00421D90 [0x41FBF0], 0x00000000 edi, 0x004143E2 edi ebx, [] [0x4211B8], ebx edi, [0x4035E5] ebx, edi [0x41FBF8], ebx edi, 0x0041FBF0 ebx, ebx edi, 0x00421630, 0x00421630 ebx, [] ebx, [0x4062A8] [0x421630], ebx edi, [0x421630] 12 ebx,
Decryptor 1 (D1) Decryptor 2 (D2) Decryptor 3 (D3) call [0x4082FE] [0x41B000], ecx [0x41BE98], ebx ebx, 0x00426758 [ebx], esi esi, 0x00000000 [0x424C70], esi esi, 0x0040A7E1 ecx, [esi] ebx, ecx esi, 0x00423E40 ecx, esi ebx [ecx] esi, 0x00416723 ebx, [esi] ebx ecx ecx [0x424C6C] esi, 0x00424C70 ebx, [esi] ecx, ebx esi, 0x0041B004 ecx [esi] [0x41B004] ebx esi, 0x00416559 call jmp jmp sub sub xor jmp jmp 0x00003090 [0x415E64] esi 0x000030AF, 0x004167FC ecx [] 0x000030E0 esi, 0xFCA091F5 esi, 0x2154A1C0 esi, 0xACEEC496 esi, 0x2E5D2B9F [0x417CF0], esi [0x402A32] esi ecx, esi ecx [0x415E6C] 0x00003174 [0x40A9AB] 0x00003180 [0x415E60], 0x00417CF0 ecx, [] ecx esi add [0x421634], edi [0x41FBFC], ebx edi, 0x00421D90 [0x41FBF0], 0x00000000 edi, 0x004143E2 edi ebx, [] [0x4211B8], ebx edi, [0x4035E5] ebx, edi [0x41FBF8], ebx edi, 0x0041FBF0 ebx, ebx edi, 0x00421630, 0x00421630 ebx, [] ebx, [0x4062A8] [0x421630], ebx edi, [0x421630] 13 ebx,
Polymorphism Today Serverside polymorphism Pre-mutated Payload only High language polymorphism, not assembler Packers Work like Zmist decryptor. Used in clean code to avoid «software cracking» Used in virus code, 3-4 different packers applied 14